Benchmark: 6.3 Develop internal and external software applications (including web-based administrative access to applications) securely
Description
Develop internal and external software application securely as follows: in accordance with PCI DSS (for example, secure authentication and logging), based on industry standards and/or best practices, incorporating information security throughout the software-development life cycle. Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party. Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 6.3 Develop internal and external software applications (including web-based administrative access to applications) securely.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_6_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_6_3 --shareBenchmarks
- 6.3.1 Examine written software-development procedures and interview responsible personnel to verify that pre-production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers
- 6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes)
- 6.3.a Examine written software-development processes to verify that the processes are based on industry standards and/or best practices
- 6.3.b Examine written software-development processes to verify that information security is included throughout the life cycle
- 6.3.c Examine written software-development processes to verify that software applications are developed in accordance with PCI DSS